Install an external admission controller

I manage several k8s clusters and have been experimenting with LKE for a client. For the application I have several mutating admission controllers. One of these I run on a google cloud function endpoint for decrypting secrets using berglas.

On a GCP k8s or a self-managed cluster these instructions work fine: A GCP cloud function is deployed and that endpoint is used in a MutatingWebhookConfiguration as a clientConfig.url.

AFAICT this does not work. My cloud function never receives a AdmissionReview request from LKE.

So I pulled up my sleeves, and wrote some additional Go + helm to:

  • use cert-manager to create a self-signed cert
  • save cert to secret
  • use cert-manager cainjector to inject the cert into the MutatingWebhookConfiguration
  • create dockerfile + deployment for berglas admission mutation webhook
  • attach the certificate secret to the berglas webhook deployment as a volume
  • use the certificate to start a TLS webhook
  • install the webhook into the LKE cluster

That works! So appears that using a clientConfig that targets an endpoint in the cluster-- that works fine. cert-manager and other apps do this, and I was able to get it to work myself. However, a clientConfig.url that targets an endpoint that is not inside the cluster and is hosted at an external location does not seem to work.

I didn't see any documentation on this, so this left me wondering if this behavior is expected.

1 Reply

This sort of setup won't work on an LKE cluster, as the kube-apiserver will not be able to reach a service running external to the cluster.

A workaround is Hashicorp's Consul. That is very good at taking external (to the cluster) networking and bringing it inside the cluster.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct